A bug in macOS' "Quick Look" feature leaks encrypted data, researchers find

"This makes using encrypted containers pointless," said security researcher Patrick Wardle.
Written by Zack Whittaker, Contributor

(Image: ZDNet)

A bug in macOS can expose the contents of a user's files -- including document text and photo thumbnails -- even if the drive is encrypted.

Security researcher Wojciech Regula found that the "Quick Look" feature in macOS, which takes a snapshot of a file's contents and the full file path without the user having to open each file, stores that snapshot data in an unprotected location on the computer's hard drive.

Regula, a security specialist, wrote up details about the macOS data leak issue earlier this month.

"It means that all photos that you have previewed ... are stored in that directory as a miniature and its path," Regula wrote. They stay there even if you delete the files, he said.

Patrick Wardle, chief research officer at Digita Security, built on Regula's work in his own blog post, published Monday, noting that the bug is triggered every time a user opens a folder.

The bug exposes even encrypted volumes to potential snooping.

"If we unmount the encrypted volume, the thumbnails of the file are ... still stored in the user's temporary directory, and thus can be extracted," said Wardle.

He explained that the bug is an issue for anyone using encrypted volumes. If a laptop is stolen or seized by law enforcement, but unmounted and considered safe, the Quick Look cache can still reveal the contents of files, if the thumbnail is large enough.

"Basically, this makes using encrypted containers pointless," he said.

During a conversation on Sunday, Wardle also found that the Quick Look bug also affected USB drives that had once been plugged into a user's Mac.

"Basically you have a forensics trail of what was on removable drives," he said. "If a person plugged in USB drive and read 'instructions from Russia,' that fact would be stored on the computer."

There are some caveats, Wardle said.

If the main hard drive is encrypted, then the Quick Look cache -- along with everything else on the drive -- is also encrypted, meaning that any such data "may be safe" on a powered-off system. But if someone has access to the running system, this caching feature can reveal the contents, even if the password encrypted containers are unmounted and considered safe.

The issue is known to forensic experts, said Regula, and was written about back in 2010. But Apple has not fixed the apparent data leak issue, even in the most recent version of macOS.

Offering a solution on his blog, Wardle explained how to purge the Quick Look cache from the computer.

"I think it would be pretty easy for Apple to either not generate a preview if the file is within an encrypted container, or better yet, when a volume is unmounted, delete the cache," said Wardle.

Apple did not respond to a request for comment Sunday.

Editorial standards